From 13ffa287b1a2edd788fa21cfef447766dbd77821 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 3 Jul 2023 22:17:30 +0800
Subject:  Fix bug of branches API with tests(#25578) (#25579)

Backport #25578

This PR added a repository's check when creating/deleting branches via
API. Mirror repository and archive repository cannot do that.
---
 routers/api/v1/repo/branch.go | 37 +++++++++++++++++++++++++++++++++++--
 1 file changed, 35 insertions(+), 2 deletions(-)

(limited to 'routers')

diff --git a/routers/api/v1/repo/branch.go b/routers/api/v1/repo/branch.go
index 5336ccb797..04d179dfaa 100644
--- a/routers/api/v1/repo/branch.go
+++ b/routers/api/v1/repo/branch.go
@@ -116,6 +116,21 @@ func DeleteBranch(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 
+	if ctx.Repo.Repository.IsEmpty {
+		ctx.Error(http.StatusNotFound, "", "Git Repository is empty.")
+		return
+	}
+
+	if ctx.Repo.Repository.IsArchived {
+		ctx.Error(http.StatusForbidden, "", "Git Repository is archived.")
+		return
+	}
+
+	if ctx.Repo.Repository.IsMirror {
+		ctx.Error(http.StatusForbidden, "", "Git Repository is a mirror.")
+		return
+	}
+
 	branchName := ctx.Params("*")
 
 	if err := repo_service.DeleteBranch(ctx, ctx.Doer, ctx.Repo.Repository, ctx.Repo.GitRepo, branchName); err != nil {
@@ -162,17 +177,30 @@ func CreateBranch(ctx *context.APIContext) {
 	// responses:
 	//   "201":
 	//     "$ref": "#/responses/Branch"
+	//   "403":
+	//     description: The branch is archived or a mirror.
 	//   "404":
 	//     description: The old branch does not exist.
 	//   "409":
 	//     description: The branch with the same name already exists.
 
-	opt := web.GetForm(ctx).(*api.CreateBranchRepoOption)
 	if ctx.Repo.Repository.IsEmpty {
 		ctx.Error(http.StatusNotFound, "", "Git Repository is empty.")
 		return
 	}
 
+	if ctx.Repo.Repository.IsArchived {
+		ctx.Error(http.StatusForbidden, "", "Git Repository is archived.")
+		return
+	}
+
+	if ctx.Repo.Repository.IsMirror {
+		ctx.Error(http.StatusForbidden, "", "Git Repository is a mirror.")
+		return
+	}
+
+	opt := web.GetForm(ctx).(*api.CreateBranchRepoOption)
+
 	var oldCommit *git.Commit
 	var err error
 
@@ -280,7 +308,12 @@ func ListBranches(ctx *context.APIContext) {
 
 	listOptions := utils.GetListOptions(ctx)
 
-	if !ctx.Repo.Repository.IsEmpty && ctx.Repo.GitRepo != nil {
+	if !ctx.Repo.Repository.IsEmpty {
+		if ctx.Repo.GitRepo == nil {
+			ctx.Error(http.StatusInternalServerError, "Load git repository failed", nil)
+			return
+		}
+
 		rules, err := git_model.FindRepoProtectedBranchRules(ctx, ctx.Repo.Repository.ID)
 		if err != nil {
 			ctx.Error(http.StatusInternalServerError, "FindMatchedProtectedBranchRules", err)
-- 
cgit v1.2.3